Public companies and accountants are optimistic that new standards for compliance with Sarbanes-Oxley legislation will help to relieve some of the time and cost of audits. But the new regulations are no free ride. The bulk of the burden imposed on corporate America as a result of the passage of Sarbanes-Oxley, or SOX as the law is called in the trade, remains in place. Public companies will still be required to undergo rigorous testing of internal controls and procedures, a process that has proven to be quite costly. And with the revisions, small-cap companies’ hopes that they would be excluded from the regulations altogether were dashed. “With just about every small, not accelerated client, this is far less than what they were hoping,” said Kevin D. Holmes, partner in charge of the Sarbanes-Oxley consulting practice at Good Swartz Brown & Berns LLP. “Most wanted a complete exemption. But that being said, I think it was what they expected.” SOX, put into place following the revelations of fraud at Enron, WorldCom and others, was designed to place tighter financial controls on organizations and reduce the likelihood that such transgressions would recur. But the legislation included little guidance on how, exactly, to comply. As a result, companies left the task in the hands of auditors, who, in turn, took a better-safe-than-sorry approach, leaving no stone unturned in the procedures they set up. “The lack of guidance from the SEC and an abundance of guidance from external audit firms caused companies to overdo Sarbanes-Oxley to their own detriment,” said Stephen Masterson, a partner with Grant Thornton LLP. In general, auditors delineated and documented nearly every process in the company’s operation, set up controls to make certain the reporting was accurate and then set up tests on those controls. While no one argued that Sarbanes-Oxley was unnecessary, the legislation was largely viewed as excessively burdensome, particularly for small companies. Indeed, the burden these rules posed to companies with market caps under $75 million was so widely recognized that the feds pushed back the deadline for compliance for these firms, now at 2008. Although smaller companies were hoping for a bigger break that more specifically addressed their issues, when the SEC issued its revision last month it chose to offer a blanket solution for large and small companies alike. The revision came in the form of a new auditing standard, AS No. 5, that provides guidance for management to use in evaluating internal controls over financial reporting, something they hadn’t had before. More specifically, it allows management to set its own risk assessment standards, so whereas nearly every line item may have been audited before, management can now exercise discretion over the items that are really integral to the company’s operation. A small company, for instance, whose biggest line items are service contracts and payroll, may not have to evaluate as many factors as a large company that has benefit plans, multi-location payroll, equipment expenditures and other large expenses. “Before, management would take everything it does in the company, whether it related to financial reporting or not, and document and test it for SOX,” said Masterson. “Now management is starting at the top and working down. They can determine what really is a risk and what can materially impact the business.” Under the new rules, managers will be able to have more impact on those decisions because auditors will no longer be required to issue opinions on the company’s risk determinations. But, as some are quick to point out, auditors will still have to audit the processes managers deem relevant. “At the end of the day, the auditors still have the power of their audit report, which is a pretty big club,” said Holmes. Small companies, too, point out that while the revisions will help, they have done little to eliminate the bulk of the work involved. “It’s not going to be that much of a savings,” said Raffy Lorentzian, CFO at National Technical Systems Inc., a Calabasas-based provider of engineering services. “What they did is eliminated a lot of the detail, but we still have to go through a lot of processes and go through a lot to make sure the internal controls are in place.” As at NTS, the new guidance will help simplify some of the process at Ixia, a provider of testing services based in Calabasas that operates some overseas locations. “Our feeling is next year it may save us a little bit of money at some of our international locations so I think we view it as a small step in the right direction,” said Tom Miller, Ixia CFO. “We can look at these offshore locations and say we have good controls in place, we can reduce testing and keep it at a reasonable level.” Still, Miller noted, “It isn’t really scaling anything back, it’s just putting a little more judgment in the process.” By tailoring some of those risk areas, accountants expect that companies will shave about 10 percent off the cost of compliance with SOX, which has run to millions of dollars, even for small companies. And it may reduce an additional 20 percent to 30 percent if auditors, indeed, end up testing fewer factors. But at the end of the day, the audit firm will still be conducting an audit of the procedures and accountants are recommending that companies partner with audit firms as they develop their risk assessment. “The best set of circumstances would be for management and auditors to agree upfront on the risk assessment and how much work should be done in certain areas,” said Holmes. “If they’re generally on the same page, you’re not going to have problems when they do audit work.” Sarbanes-Oxley Timeline 2002: Signed into law 2004: Implementation deadline for large companies 2005: SEC advisory committee recommends exempting some smaller companies from SOX requirements. The recommendation is ultimately rejected. 2007: SEC issues revised guidelines, AS 5. 2008: Current implementation deadline for small companies.
